Expose LDAP via iptables

setup/start/cloudron-firewall.sh

@@ -36,9 +36,9 @@ if allowed_udp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_
     done
 fi
 
-# ldap server
-iptables -t filter -A CLOUDRON -p tcp -m multiport --dports 636 -j ACCEPT
-iptables -A CLOUDRON_RATELIMIT -p tcp --syn --dport 636 -m connlimit --connlimit-above 5000 -j CLOUDRON_RATELIMIT_LOG
+# ldap server we expose 3004 and also redirect from standard ldaps port 636
+iptables -t filter -A CLOUDRON -p tcp -m multiport --dports 636,3004 -j ACCEPT
+iptables -t nat -I PREROUTING -p tcp --dport 636 -j REDIRECT --to-ports 3004
 
 # turn and stun service
 iptables -t filter -A CLOUDRON -p tcp -m multiport --dports 3478,5349 -j ACCEPT
@@ -80,6 +80,11 @@ for port in 22 202; do
     iptables -A CLOUDRON_RATELIMIT -p tcp --dport ${port} -m state --state NEW -m recent --update --name "public-${port}" --seconds 10 --hitcount 5 -j CLOUDRON_RATELIMIT_LOG
 done
 
+# ldaps
+for port in 636 3004; do
+    iptables -A CLOUDRON_RATELIMIT -p tcp --syn --dport ${port} -m connlimit --connlimit-above 5000 -j CLOUDRON_RATELIMIT_LOG
+done
+
 # docker translates (dnat) 25, 587, 993, 4190 in the PREROUTING step
 for port in 2525 4190 9993; do
     iptables -A CLOUDRON_RATELIMIT -p tcp --syn ! -s 172.18.0.0/16 -d 172.18.0.0/16 --dport ${port} -m connlimit --connlimit-above 50 -j CLOUDRON_RATELIMIT_LOG